Behind the familiar icons lies full access to data.
Proofpoint has reported the emergence of a new malicious platform disguised as a corporate remote administration tool. The service, called TrustConnect, is presented as a legitimate remote support solution, but in reality, it's a remote access Trojan with a subscription model and a fully functional control panel.
The domain "trustconnectsoftware[.]com" was registered on January 12, 2026. The website contained fictitious product information, documentation, and statistics, creating the appearance of a legitimate business. The attackers also used the same resource to sell access to the service for $300 per month, paid in cryptocurrency . After registration, customers were asked to transfer funds in Bitcoin or USDT, then manually confirm the transaction. The server performed the verification, cross-checking blockchain data with its own payment database.
The platform's authors obtained an extended digital signature certificate in the name of TrustConnect Software PTY LTD, ostensibly from South Africa, and used it to sign executable files. Such a certificate is expensive and requires strict verification, so its presence enabled them to bypass security mechanisms. On February 6, 2026, the certificate was revoked with the participation of Proofpoint partners, but previously signed files remained valid.
TrustConnect email campaigns were detected at the end of January. The emails were sent from compromised accounts, with subjects ranging from invitations to tenders to notifications about events and government initiatives. The phishing emails linked to executable files like MsTeams.exe, which, when executed, installed TrustConnectAgent.exe and connected to the command and control server.
Several campaigns simultaneously distributed legitimate remote access tools, including ScreenConnect and LogMeIn Resolve. In some cases, after installing the Trojan, they deployed outdated versions of ScreenConnect with expired or revoked certificates, and also used Level RMM service accounts. This indicates the new platform's close connection to the existing RMM abuse ecosystem.
The TrustConnect control panel allows you to view a list of infected devices, execute commands, transfer files, and connect to the victim's desktop. Screen recording, operator activity masking, and User Account Control bypass are supported. Installers disguise themselves as popular brands, such as Zoom, Microsoft Teams, Adobe Reader, and others. Each file contains a unique token that links the infected system to a specific service client.
The control server infrastructure was partially disabled on February 17, 2026. However, the operator quickly prepared an alternative site and began testing a new version called DocConnect or SHIELD OS v1.0. The updated version uses a different architecture and supports the injection of PDF decoys directly into the installer.
A Telegram contact, @zacchyy09, was discovered in the TrustConnect dashboard. This same username was also identified as a privileged client in Operation Magnus, which targeted distributors of the Redline and META stealers . Proofpoint experts estimate that, with a moderate degree of certainty, TrustConnect is backed by a member of the Redline ecosystem or its partner.
The TrustConnect story demonstrates that even after major malware services are eliminated, the market is quickly filled with new players. Disguising themselves as corporate tools remains one of the most convenient ways to penetrate networks, and automated development significantly accelerates the launch of such projects.
Proofpoint has reported the emergence of a new malicious platform disguised as a corporate remote administration tool. The service, called TrustConnect, is presented as a legitimate remote support solution, but in reality, it's a remote access Trojan with a subscription model and a fully functional control panel.
The domain "trustconnectsoftware[.]com" was registered on January 12, 2026. The website contained fictitious product information, documentation, and statistics, creating the appearance of a legitimate business. The attackers also used the same resource to sell access to the service for $300 per month, paid in cryptocurrency . After registration, customers were asked to transfer funds in Bitcoin or USDT, then manually confirm the transaction. The server performed the verification, cross-checking blockchain data with its own payment database.
The platform's authors obtained an extended digital signature certificate in the name of TrustConnect Software PTY LTD, ostensibly from South Africa, and used it to sign executable files. Such a certificate is expensive and requires strict verification, so its presence enabled them to bypass security mechanisms. On February 6, 2026, the certificate was revoked with the participation of Proofpoint partners, but previously signed files remained valid.
TrustConnect email campaigns were detected at the end of January. The emails were sent from compromised accounts, with subjects ranging from invitations to tenders to notifications about events and government initiatives. The phishing emails linked to executable files like MsTeams.exe, which, when executed, installed TrustConnectAgent.exe and connected to the command and control server.
Several campaigns simultaneously distributed legitimate remote access tools, including ScreenConnect and LogMeIn Resolve. In some cases, after installing the Trojan, they deployed outdated versions of ScreenConnect with expired or revoked certificates, and also used Level RMM service accounts. This indicates the new platform's close connection to the existing RMM abuse ecosystem.
The TrustConnect control panel allows you to view a list of infected devices, execute commands, transfer files, and connect to the victim's desktop. Screen recording, operator activity masking, and User Account Control bypass are supported. Installers disguise themselves as popular brands, such as Zoom, Microsoft Teams, Adobe Reader, and others. Each file contains a unique token that links the infected system to a specific service client.
The control server infrastructure was partially disabled on February 17, 2026. However, the operator quickly prepared an alternative site and began testing a new version called DocConnect or SHIELD OS v1.0. The updated version uses a different architecture and supports the injection of PDF decoys directly into the installer.
A Telegram contact, @zacchyy09, was discovered in the TrustConnect dashboard. This same username was also identified as a privileged client in Operation Magnus, which targeted distributors of the Redline and META stealers . Proofpoint experts estimate that, with a moderate degree of certainty, TrustConnect is backed by a member of the Redline ecosystem or its partner.
The TrustConnect story demonstrates that even after major malware services are eliminated, the market is quickly filled with new players. Disguising themselves as corporate tools remains one of the most convenient ways to penetrate networks, and automated development significantly accelerates the launch of such projects.
